DivestOS/Patches/Linux_CVEs/CVE-2017-9719/ANY/0001.patch
2017-11-07 17:32:46 -05:00

48 lines
1.7 KiB
Diff

From a491499c3490999555b7ccf8ad1a7d6455625807 Mon Sep 17 00:00:00 2001
From: zhaoyuan <yzhao@codeaurora.org>
Date: Mon, 20 Feb 2017 13:42:20 +0800
Subject: msm: mdss: hdmi: check up-bound of CEC frame size
the spec says the frame size will not be greater than
14, but this have a security hole when somebody sends
a message with a size greater than 14. So need check
up-boud of the CEC frame size.
Change-Id: I743208badc5e77ae911cfb2d102f758d4843138f
Signed-off-by: zhaoyuan <yzhao@codeaurora.org>
---
drivers/video/msm/mdss/mdss_hdmi_cec.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/video/msm/mdss/mdss_hdmi_cec.c b/drivers/video/msm/mdss/mdss_hdmi_cec.c
index a424d98..a4ed012 100644
--- a/drivers/video/msm/mdss/mdss_hdmi_cec.c
+++ b/drivers/video/msm/mdss/mdss_hdmi_cec.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2010-2016, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2010-2017, The Linux Foundation. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
@@ -196,7 +196,7 @@ static void hdmi_cec_msg_recv(struct work_struct *work)
msg.sender_id, msg.recvr_id,
msg.frame_size);
- if (msg.frame_size < 1) {
+ if (msg.frame_size < 1 || msg.frame_size > MAX_CEC_FRAME_SIZE) {
DEV_ERR("%s: invalid message (frame length = %d)\n",
__func__, msg.frame_size);
return;
@@ -216,7 +216,7 @@ static void hdmi_cec_msg_recv(struct work_struct *work)
msg.operand[i] = data & 0xFF;
}
- for (; i < 14; i++)
+ for (; i < MAX_OPERAND_SIZE; i++)
msg.operand[i] = 0;
DEV_DBG("%s: opcode 0x%x, wakup_en %d, device_suspend %d\n", __func__,
--
cgit v1.1